which ports are in need to be opened to change password over VPN

Good day,
Could you explain which ports are in need to be opened to change passwords
over VPN? Windows XP is a member of domain. Sometimes remote users will
change their passwords out of the office via vpn..

Thank you in advance
Andrey

It won't be a problem with ports. All traffic between the remote user and
the VPN server is encrypted and encapsulated in transit. It all uses the
same port (tcp port 1723 for pptp). It is nothing like a normal TCP/IP
connection.

"kreit" <(E-Mail Removed)> wrote in message
news3E51341-309E-4098-8303-(E-Mail Removed)...
> Good day,
> Could you explain which ports are in need to be opened to change passwords
> over VPN? Windows XP is a member of domain. Sometimes remote users will
> change their passwords out of the office via vpn..
>
> Thank you in advance
> Andrey

Bill thank you for your prompt response. I should have explained my question
in more detail..

I understand the client communicates via 1723 and gre for pptp.
There are some restrictions/filters that determine which resources in
corporate network remote users are allowed to access. Which are minimum
required ports are in need to be open betweed a client an a DC to be able to
change AD domain account password?

Thank you

"Bill Grant" wrote:

> It won't be a problem with ports. All traffic between the remote user and
> the VPN server is encrypted and encapsulated in transit. It all uses the
> same port (tcp port 1723 for pptp). It is nothing like a normal TCP/IP
> connection.
>
> "kreit" <(E-Mail Removed)> wrote in message
> news3E51341-309E-4098-8303-(E-Mail Removed)...
> > Good day,
> > Could you explain which ports are in need to be opened to change passwords
> > over VPN? Windows XP is a member of domain. Sometimes remote users will
> > change their passwords out of the office via vpn..
> >
> > Thank you in advance
> > Andrey
>
>

As I said, that doesn't affect remote users. The packets come through the
firewall as encrypted data. All the firewall sees is the GRE header. The
packets are unencrypted inside the firewall. The only filters which could
affect this would be filters between the VPN server and the DC.

"kreit" <(E-Mail Removed)> wrote in message
news:A57111E4-CEC9-4D6F-AD8D-(E-Mail Removed)...
> Bill thank you for your prompt response. I should have explained my
> question
> in more detail..
>
> I understand the client communicates via 1723 and gre for pptp.
> There are some restrictions/filters that determine which resources in
> corporate network remote users are allowed to access. Which are minimum
> required ports are in need to be open betweed a client an a DC to be able
> to
> change AD domain account password?
>
> Thank you
>
> "Bill Grant" wrote:
>
>> It won't be a problem with ports. All traffic between the remote user
>> and
>> the VPN server is encrypted and encapsulated in transit. It all uses the
>> same port (tcp port 1723 for pptp). It is nothing like a normal TCP/IP
>> connection.
>>
>> "kreit" <(E-Mail Removed)> wrote in message
>> news3E51341-309E-4098-8303-(E-Mail Removed)...
>> > Good day,
>> > Could you explain which ports are in need to be opened to change
>> > passwords
>> > over VPN? Windows XP is a member of domain. Sometimes remote users will
>> > change their passwords out of the office via vpn..
>> >
>> > Thank you in advance
>> > Andrey
>>
>>

"would be filters between the VPN server and the DC" - thats exactly i'm
interested in. Which ports should be opened etc between the vpn server and
DC to authenticate and change passwords ?



"Bill Grant" wrote:

> As I said, that doesn't affect remote users. The packets come through the
> firewall as encrypted data. All the firewall sees is the GRE header. The
> packets are unencrypted inside the firewall. The only filters which could
> affect this would be filters between the VPN server and the DC.
>
> "kreit" <(E-Mail Removed)> wrote in message
> news:A57111E4-CEC9-4D6F-AD8D-(E-Mail Removed)...
> > Bill thank you for your prompt response. I should have explained my
> > question
> > in more detail..
> >
> > I understand the client communicates via 1723 and gre for pptp.
> > There are some restrictions/filters that determine which resources in
> > corporate network remote users are allowed to access. Which are minimum
> > required ports are in need to be open betweed a client an a DC to be able
> > to
> > change AD domain account password?
> >
> > Thank you
> >
> > "Bill Grant" wrote:
> >
> >> It won't be a problem with ports. All traffic between the remote user
> >> and
> >> the VPN server is encrypted and encapsulated in transit. It all uses the
> >> same port (tcp port 1723 for pptp). It is nothing like a normal TCP/IP
> >> connection.
> >>
> >> "kreit" <(E-Mail Removed)> wrote in message
> >> news3E51341-309E-4098-8303-(E-Mail Removed)...
> >> > Good day,
> >> > Could you explain which ports are in need to be opened to change
> >> > passwords
> >> > over VPN? Windows XP is a member of domain. Sometimes remote users will
> >> > change their passwords out of the office via vpn..
> >> >
> >> > Thank you in advance
> >> > Andrey
> >>
> >>
>
>

I have to ask - why would you have a firewall there? Do you have a
firewall between your LAN clients and the DC?

"kreit" <(E-Mail Removed)> wrote in message
news:C43ADCE8-632E-4F7C-B123-(E-Mail Removed)...
> "would be filters between the VPN server and the DC" - thats exactly i'm
> interested in. Which ports should be opened etc between the vpn server
> and
> DC to authenticate and change passwords ?
>
>
>
> "Bill Grant" wrote:
>
>> As I said, that doesn't affect remote users. The packets come through
>> the
>> firewall as encrypted data. All the firewall sees is the GRE header. The
>> packets are unencrypted inside the firewall. The only filters which could
>> affect this would be filters between the VPN server and the DC.
>>
>> "kreit" <(E-Mail Removed)> wrote in message
>> news:A57111E4-CEC9-4D6F-AD8D-(E-Mail Removed)...
>> > Bill thank you for your prompt response. I should have explained my
>> > question
>> > in more detail..
>> >
>> > I understand the client communicates via 1723 and gre for pptp.
>> > There are some restrictions/filters that determine which resources in
>> > corporate network remote users are allowed to access. Which are minimum
>> > required ports are in need to be open betweed a client an a DC to be
>> > able
>> > to
>> > change AD domain account password?
>> >
>> > Thank you
>> >
>> > "Bill Grant" wrote:
>> >
>> >> It won't be a problem with ports. All traffic between the remote
>> >> user
>> >> and
>> >> the VPN server is encrypted and encapsulated in transit. It all uses
>> >> the
>> >> same port (tcp port 1723 for pptp). It is nothing like a normal TCP/IP
>> >> connection.
>> >>
>> >> "kreit" <(E-Mail Removed)> wrote in message
>> >> news3E51341-309E-4098-8303-(E-Mail Removed)...
>> >> > Good day,
>> >> > Could you explain which ports are in need to be opened to change
>> >> > passwords
>> >> > over VPN? Windows XP is a member of domain. Sometimes remote users
>> >> > will
>> >> > change their passwords out of the office via vpn..
>> >> >
>> >> > Thank you in advance
>> >> > Andrey
>> >>
>> >>
>>
>>

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
> I have to ask - why would you have a firewall there? Do you have a
> firewall between your LAN clients and the DC?
>
> "kreit" <(E-Mail Removed)> wrote in message
> news:C43ADCE8-632E-4F7C-B123-(E-Mail Removed)...
>> "would be filters between the VPN server and the DC" - thats exactly i'm
>> interested in. Which ports should be opened etc between the vpn server
>> and
>> DC to authenticate and change passwords ?
>>

I'm assuming that there is just an internal firewall in place and the VPN
appliance is on the outside of that. Hense the VPN is serperated from the
DC.
Anyway, the best I could find that may help you is that the AD logon is on
port TCP 50000 and requires the RPC port at TCP 135 to be open as well.

I'm not sure if that will work or not, but it was about the closest thing I
could find out about ports for AD and passwords.

"Raptor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Bill Grant" <not.available@online> wrote in message
> news:(E-Mail Removed)...
>> I have to ask - why would you have a firewall there? Do you have a
>> firewall between your LAN clients and the DC?
>>
>> "kreit" <(E-Mail Removed)> wrote in message
>> news:C43ADCE8-632E-4F7C-B123-(E-Mail Removed)...
>>> "would be filters between the VPN server and the DC" - thats exactly i'm
>>> interested in. Which ports should be opened etc between the vpn server
>>> and
>>> DC to authenticate and change passwords ?
>>>
>
> I'm assuming that there is just an internal firewall in place and the VPN
> appliance is on the outside of that. Hense the VPN is serperated from the
> DC.
> Anyway, the best I could find that may help you is that the AD logon is on
> port TCP 50000 and requires the RPC port at TCP 135 to be open as well.
>
> I'm not sure if that will work or not, but it was about the closest thing
> I could find out about ports for AD and passwords.
>
You may be right about an internal firewall, but why would you do that?
If you have gone to the trouble of setting up a VPN server to give remote
machines access to your domain, why would you put that VPN server in a
network which can't see a DC? If the VPN server is in a DMZ, you have really
destroyed the integrity of the internal firewall if you allow DMZ machines
access to your DC.

The time to get the VPN traffic through firewalls is while the data is
still encrypted and encapsulated. When it is unencrypted it should be on the
same network as the LAN machines. The whole point of a Virtual Private
Network is that the remote user's experience is as close as possible to the
LAN user's.

Thanks for your feedback! Could you let me where\how did you find this info?

Andrey


"Raptor" wrote:

I'm not sure if that will work or not, but it was about the closest thing I
could find out about ports for AD and passwords.

"kreit" <(E-Mail Removed)> wrote in message
news:0C5DC76D-0815-4BE6-B532-(E-Mail Removed)...
> Thanks for your feedback! Could you let me where\how did you find this
> info?
>
> Andrey
>

I can't find the same page where I pulled the information from before, but
here is another one I found with some port information on it.
http://support.microsoft.com/kb/832017

Both this one and the last one I looked up were from the MS KB.